Q&A: SMX director talks TaaS, compliance and NZX attacks
As one of the most crucial IT infrastructures for government services, Telecommunications-as-a-Service (TaaS) has an increasingly significant role to play in delivering a range of cross-government network, telecommunications and managed security services.
But predictably, supplying critical data services to the New Zealand Government comes with all kinds of regulatory and compliance-related red tape – getting approved for the TaaS Panel alone is its own hurdle.
And after the sustained assault on the NZX last week, even more pressure is on both TaaS providers and the TaaS panel to put measures in place to prevent this from occurring in the future.
Techday spoke to SMX co-founder and director Thom Hooker, who takes us through the implications of last week’s attack for the future of TaaS, and the changes in compliance regulations for the sector.
Do you think the government’s Telecommunications as a Service (TAAS) Panel is evaluating security solutions rigorously enough?
Probably, although from our experience, the evaluation is more about ensuring processes are well documented and the supplier is ISO accredited.
Regional attacks are becoming more sophisticated, and they are increasing in volume, such as the recent NZX DDoS attack that some reports put in the region of 200Gbps (which must’ve been one of the largest attacks in this part of the world).
We believe what the New Zealand government is doing is essential, by TaaS ensuring any 3rd party service supplier is appropriately secure and set up to handle government data - big tick for the government.
Is it a tough process getting approved?
Yes, for a smaller organisation like SMX, it’s a challenging process. For a larger organisation with more resources, it’s probably easier.
However, we believe this is a necessary part of the evaluation process. SMX takes security seriously (the ‘S’ in ‘SMX’ stands for ‘Secure’, the others being ‘Mail eXchange’) and we believe the audit process is essential to ensuring government data is appropriately stored.
Approximately how much do you think SMX has invested in applying and compliance?
SMX has spent >$2m to become a TaaS supplier.
Suppliers put a lot of time and effort into TaaS compliance and applications, do you think it should be mandatory for all of gov to use these approved products?
Yes. SMX has spent upwards of $2m to become a TaaS supplier, and if government agencies can gain an exemption every time, what’s the point of establishing these all-of-government buying schemes?
In other jurisdictions, government agencies aren’t able to apply for exemptions; they have to choose from the list of nominated suppliers. We can’t see why the New Zealand government should have a different approach, especially given how small our market is and how susceptible we are to overseas influence.
Do you think local and central government are adequately protected?
Yes and no. From the research we conducted in this space recently we’d have to argue, at least in part, no. DMARC, one of the most significant security improvements to email since its invention in the 1970s, was released as a standard in 2015. Five years later, in 2020, only 4.5% of NZ government agencies have rolled out DMARC in enforcement mode. That leaves >95% of central government agencies open to email spoofing attacks.
In other areas, the New Zealand government is leading the world. For example, SEEMail is unique to New Zealand but based on standards and has been securing government email since the early 2000s.
Would mandatory use of the approved solutions improve this?
Yes, we think it would go a long way to improving the security risk profile of New Zealand government agencies.
The main issue as we see it is that government agencies are utilising off-shore providers who are often distracted by extra features and functionality that aren’t needed or relevant but allow the off-shore provider to justify a much higher price.
These off-shore providers haven’t been through the same evaluation process, and these government agencies are therefore risking New Zealander’s data security by making use of various service providers with unaudited operating procedures, let alone murky ownership structures.
All SMX really wants is a level playing field that doesn’t penalise local suppliers that follow the rules while allowing unchecked numbers of off-shore providers to slurp up our government agencies and their associated data.